Search form

Mobile Navigation

Search form

Answers to your questions from the IoT Security webinar

by

Theresa Bui

Today we wrapped up our 4-part Real IoT webinar series, with our final session: IoT Security – Your Checklist for Success. Thanks to everyone who participated, as well as to Michela Menting, Digital Security Research Director at ABI Research and Cisco Jasper’s Theresa Bui, who led the discussion. Providing an in-depth education on the IoT security ecosystem, this webinar looked at end-to-end security considerations across the device, data transport, network, and application layers.

I know we need to consider security for all the layers of the IoT business, but is there a recommended place to start?

We often say IoT security takes a village – so from the get-go, make sure you partner closely with all the players in your security ecosystem. That can help inform you on where to focus the most attention in your earliest stages, based on your industry and proposed IoT solution.

That said, it often starts with hardware, as that’s the “thing” through which you’ll transmit data and deliver IoT services. It’s imperative to work closely with the device manufacturer to find out what they’re doing for security, and what you can do beyond that. When you’re assessing risk, remember that even small, simple devices can be vulnerable. Low-cost devices such as soil monitors or smart meters often have limited security measures and access controls, often because it’s not cost-effective to “harden” those devices. But if deployed on a massive scale, a hacking attack could have a major impact.

What are the Top 3 things we can tell our clients to support the idea that cellular is more secure than using WiFi for IoT data transport?

Cellular networks are the most well managed and most reliable networks available anywhere in the world today. Outages are rare, and global security standards make it very hard to hack the network and steal data. Plus, using an IoT connectivity management platform, you can monitor devices and network conditions in real time and act quickly to resolve problems.

With WiFi or fixed lines, you may compromise service quality and incur unexpected costs. If a WiFi connection fails, it can go unnoticed, which leaves your end users without service. If you’re depending on a modem to capture data usage and a device goes rogue, you might not see it for a while, and risk running up a huge bill in data overages.

Cellular IoT lets you set up secure private networks, enabling you to isolate device data from other network traffic, and even separate streams for different types of data transmitted, each with differing levels of security.

Easy-to-hijack ‘smart’ devices just crashed some of the world’s biggest online platforms via DDoS attacks. How should companies be thinking about prevention in the future?

Let’s face it, security attacks are going to happen. So work closely with your device manufacturer and application developer to make sure they’re doing everything possible to implement security measures. Next, our #1 recommendation that’s within your control to mitigate risk is to “know your normal.” Establish baselines for how your devices should normally behave (e.g., when and how long they should connect, normal data usage, etc.), and have a system in place to constantly monitor devices and alert you of any abnormalities so you can take immediate corrective action.

With authentication, authorization and accounting security, do you feel one needs encryption for all data transmission or just high-risk data?

All data should be encrypted, but the level of severity depends on the vertical and use case. If you’re in a high-risk industry like financial services, connected cars, or healthcare, you’ll want to have more stringent controls at every level. For low-risk devices like smart meters, maybe less. It can be very helpful to have systems that enable you to classify types of data being collected. That way you can parse certain data such as video streams and customer information into secure private networks and adjust the level of protection accordingly.

Would you agree that during initial risk assessment, a strong level of penetration testing be performed, especially with a legacy setup?

Yes. Penetration testing is extremely useful as part of an initial and ongoing risk assessment strategy. Do it on a regular basis, either quarterly or at least a couple times a year.

Some industrial manufacturing companies seem to think the best security is no connection to the outside world. Is there any way around that in order to introduce an Industrial IoT-solution?

Most high-end factories such as connected car makers are a closed loop. However, there’s no realistic deployment where data collected in a factory stays exclusively in the factory. The reason to have connected devices is to mine the data, which must be transmitted to cloud applications, so there’s always at least one door to the outside world. Even if your enterprise controls all the devices connected to the cloud and controls how the cloud is hosted, you’re still pushing data outside the premises through a secure pipe. Obviously, the fewer pipes you have, the easier it is to monitor security.

A lot of security testing will come after the solution is built. How can we minimize the time and cost of multiple fixes late in the game?

The companies most successful at managing IoT security have made it a core foundational phase when first thinking about building, deploying, and supporting IoT solutions. For example, best practices in large companies (think connected car makers and home security and automation providers) include partnering tightly with vendors supporting their IoT deployment, and using a detailed, customized checklist to conduct IoT security checkups on a regular basis (quarterly or yearly).

To build security into your earliest stages of development, consider a systematic approach such as a Secure Software Development Lifecycle (SSDLC). It equips you to identify and address issues such as data privacy and network and system reliability, while mitigating risk and potential costs. Using an SSDLC can also make it easier to remediate problems uncovered later in the release cycle, and help streamline audits required for security certifications.

What is the link between security and functional safety, and where does this fit with the overall IoT security checklist?

Certification for specific functional safety standards is sometimes required in certain domains such as industrial, automotive, aerospace, and medical. The umbrella standard is IEC 61508, and when we start connecting high-value devices for delivering IoT services, there will be more impact on functional safety. A good example is connected cars. Auto makers must ensure functional safety of control systems, but those systems may be in jeopardy once they’re wirelessly transmitting data to backend systems. In fact, there’s ongoing discussion about including cybersecurity into the ISO 26262 standard that addresses functional safety in automotive control systems.

Who are the groups or consortiums currently working on IoT security?

Cloud Security Alliance Mobile Working Group – IoT Initiative

Industrial Internet Consortium Security Working Group

Trusted Computing Group

Federal Trade Commission Guidance

OWASP Internet of Things Project

CSA IoT Security Guidance

Open Group IoT Work Group

IEEE Draft P2413 standard for an Architectural Framework for the IoT

International Standards Organization’s Special Working Group on the IoT

IEC 62443/ISA99, Industrial Automation and Control System Security Committee

IoT Security Foundation

Online Trust Alliance IoT Trustworthy Working Group

Open Interconnect Consortium iotivity project

GlobalPlatform’s Internet of Things Task Force

Trustonic

NFC Forum

GSMA IoT security guidelines development

The Kantara Initiative

You mentioned using a connectivity management platform to set up rules-based security. Can you provide an example of the rules?

With the Cisco Jasper connectivity management platform, Control Center, automated security rules make it easier to prevent fraudulent access to your IoT devices. As an example, you could create a fraud detection rule to protect against anyone using one of your SIMs in an unauthorized device. With this rule, if someone removes a SIM from one of your devices and tries to use it in elsewhere, Control Center will automatically detect the unauthorized use and send you an alert. You could also add a rule for taking corrective action, such as deactivating connectivity to prevent illegal use and unwanted usage costs.